CRAVEX: Vulnerability exploitability: Identify and store a vulnerability exploitability

[pombredanne]

Create UI and DB models to create and store effective exploitability both org-wide and app- or product-specific.

We should also include tracing data to document the disposition of a vulnerability. (e.g., Tag a package as affected or not either globally, or just for one or more products)

[DennisClark]

see related issue aboutcode-org/vulnerablecode#1028

[tdruez]

The next step is to implement the VulnerabilityAnalysisMixin into a concrete Product-context model.
The fields available on this mixin are an implementation of the CycloneDX model.
Once the concrete model is done, those fields should be added to the Product > "Vulnerabilities" tab as new sortable/filterable columns.
Also, an add/edit form should be added in a modal so the Vulnerability analysis fields can directly updated from this tab.

Once this is completed, those fields can be added to the CycloneDX VEX output, at #108

[pombredanne]

from: #108 (comment)

Once the analysis fields from #98 (comment) are available, those can be added in the Vulnerability.as_cyclonedx() method at https://github.com/aboutcode-org/dejacode/blob/main/vulnerabilities/models.py#L206
The content of as_cyclonedx() is directly available in the new VEX output.

[tdruez]

Implemented in #187

Introduce a new VulnerabilityAnalysis model based on CycloneDX spec: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis
A VulnerabilityAnalysis is always assigned to a Vulnerability object and a ProductPackage relation.
The values for a VulnerabilityAnalysis are display in the Product "Vulnerabilities" tab.
A "Edit" button can be used to open a form in a model to provided analysis data.
Those new VEX related columns can be sorted and filtered.
The VulnerabilityAnalysis data is exported in the VEX (only) and SBOM+VEX (combined) outputs.